index_75
UNCLASSIFIED
Implementing Security on Cisco Routers
Version 1.0g
UNCLASSIFIED
75
East(config)# access-list 105 permit host 14.2.6.1 any eq 23 log
East(config)# access-list 105 permit tcp host 14.2.6.18 any eq 23 log
East(config)# access-list 105 deny ip any any log
East(config)# line vty 0 4
East(config-line)# access-class 105 in
East(config-line)# end
SNMP Service
A Cisco router can be configured to act as a client for SNMP. Whe n SNMP service
is enabled on a router, network management tools can use it to gather information
about the router configuration, route table, traffic load, and more. Versions 1 and 2
of SNMP are not considered very secure due to the lack of strong authentication.
Thus, SNMP be used only on the internal or protected network. The following
example shows the configuration of a standard IP access list that is applied to a snmp
server. This access list allows the host with IP address 14.2.6.6 to gather SNMP
information from the router. The list denies all other connections.
East(config)# access-list 75 permit host 14.2.6.6
East(config)# snmp-server community n3t-manag3m3nt ro 75
For more information about SNMP configuration, see Sections 4.2.2 and 4.5.3.
OSPF Service
Communications between routers for routing table updates involve routing protocols.
These updates provide directions to a router on which way traffic should be routed.
You can use access lists to restrict what routes the router will accept (in) or advertise
(out) via routing protocols. The following example shows the configuration of an
extended IP access list applied to the OSPF routing protocol, area 1. With the access
list applied, router North will not advertise routes to the 14.2.9.0 network.
North(config)# access-list 10 deny 14.2.9.0 0.0.0.255 any
North(config)# access-list 10 permit any
North(config)# router ospf 1
North(config-router)# distribute-list 10 out
North(config-router)# end
For more information about OSPF security configuration, see Section 4.4.
4.3.3. Filtering Traffic through the Router
The following examples illustrate methods to protect the router or the internal
network from attacks. Note: these separate examples should not be combined into
one access list because the result would contain contradictions. In the next section an
example configuration file is presented that shows one way to combine these
methods into access lists. Refer to the network diagram in Figure 4-1 to understand
the example interfaces, their IP addresses and the corresponding access lists.